Microsoft admits to 'mistakes' in Office format fracas

A Microsoft blog posting from a software engineer apologized for botching up communications around the blocking of old Office, Corel, and Lotus file formats in Office 2003 SP3. Why did anyone think these were security risks?

Responding to reactions from Corel and countless end users, Microsoft apologized late Friday for inaccurately blaming the file formats of other companies for security problems in Microsoft Office. At the same time, it released somewhat simplified tools for accessing files from older Microsoft, Corel, and Lotus applications previously blocked when users installed Office 2003 Service Pack (SP) 3.

Microsoft delivered the apology through an online blog posting by David LeBlanc, a senior software development engineer. LeBlanc admitted that Microsoft made several mistakes around trying to improve Microsoft Office security in SP3, including attributing security issues in Office to application file formats, when the problem was actually caused by parsing software used inside Office for opening and saving files.

In an interview with BetaNews on Friday afternoon, Gerard Metrallier, Corel's director of product management for graphics, said Corel was then in the middle of active talks with Microsoft about how to address confusions around a Microsoft KnowledgeBase article which incorrectly claimed that older file formats from Corel's CorelDRAW and Quattro; Lotus Notes; and Microsoft's own Excel, Word and PowerPoint products are "less secure" than the formats in Office 2003 and 2007.

Metrallier also told BetaNews that Microsoft had agreed to make changes in the KnowledgeBase article responsible for stirring up the controversy, and that a revision of the document was expected quite soon.

In keeping with a promise made in LeBlanc's blog for Microsoft's mistakes to be corrected immediately, Microsoft updated the KnowledgeBase article on Friday, while also issuing an easier-to-use approach for opening some of the blocked file formats from inside Office 2003.

"Some of the formats blocked are from products built by companies other than Microsoft, and we apologize for implying that there were any problems in those companies' file formats," LeBlanc wrote in his blog.

"We stated that it was the file formats that were insecure, but this is actually not correct. A file format (with some exceptions, like .HLP files) isn't insecure, it's the code that reads the format that's more or less secure. The parsers we use for these older formats aren't as robust as the code we've written more recently, which is part of our decision to disable them by default."

LeBlanc also explained that Microsoft had decided to use SP3 to disable parsers for these older formats in Office 2003 by default, because attackers had been trying to exploit these parsers as vulnerability points.

"[But] we are not removing your ability to read these files. If you need them, they are still there. All we've changed is the default. The older formats are still supported," he said.

"We understand that some of you have a need to be able to read archived files, sometimes for long periods, and we will continue to support that."

Beyond impugning the older file formats, the original version of the KnowledgeBase article provided some workarounds for opening some but not all of the older file formats that have been blocked through SP3.

Microsoft's initial workarounds re-enabled the older file formats for Microsoft Word, Excel, and Powerpoint, as well as the .CDR graphics files in CorelDRAW.

But Microsoft did not provide any workarounds for the file formats used in older versions of two other software products that the company mistakenly dubbed as "insecure": Lotus Notes and Corel's Quattro spreadsheet program.

Microsoft's initial workarounds required users to either download SP3 administrative templates or use a series of tricky instructions from the command line in order to make changes to registry settings.

The revised edition of the article, posted on Friday, retains these two earlier methods, while also adding an easier-to-use third approach, which provides a downloadable update for automatically re-enabling the file formats for Word, Excel, PowerPoint, and CorelDRAW.

But at the time of this writing, Microsoft still hasn't issued any workarounds in the KnowledgeBase article for Notes or Quattro, even though SP3 continues to block old file formats for these two applications by default.

Even before Microsoft issued its apology on Friday, Metrallier said that he didn't think the misstatements made in the original document were intentional on Microsoft's part. Instead, Metrallier attributed the problem to "miscommunications."

Metrallier also told BetaNews that he views CorelDRAW as "complementary" to Microsoft's software, in that Microsoft doesn't offer a competing drawing package. "We really want CorelDRAW to be able to work with Office," he said.

But also on Friday, Greg Wood, Corel's communications manager for office productivity, told BetaNews that Corel had previously become concerned that Microsoft Office 2007 files can't be opened in current editions of either Quattro, WordPerfect, or Corel's Present presentation package -- three applications that do compete against Microsoft's own. Corel is now in beta with a solution to that problem.

Meanwhile, systems administrators and end users have been flooding Web forums with complaints about their sudden inability to access older file formats inside Microsoft Office 2003 once SP3 is in place.

Some observers have questioned, too, why Microsoft hasn't been communicating about the security issues in Office, file blocking in SP3, and potential remedies for these problems in ways more accessible to the vast bulk of end users -- who typically lack the time and know-how to scour the Web for blog postings and KnowledgeBase articles when all they want to do is to re-open an old Word, Quattro, or Notes file.

Microsoft officials were initially unavailable for comment.